I’m not sure if I’m misunderstanding what it’s doing, but I think the “Allowed Addresses” setting in Cockpit → Networking → Add Zone is kinda misleading?
It seems that it sets the sources for the zone (checked with firewall-cmd --info-zone). But sources in firewalld is alternative to interface, not as an additional constraint[1]. Which means that when a packet doesn’t match the interface but matches the “Allowed Addresses”, the zone rule will still apply to it.
interface
It can be used to bind an interface to a zone.
source
It can be used to bind a source address, address range, a MAC address or an ipset to a zone.
The options “Entire subnet” and “Range” also sounds misleading for this reason. “Entire subnet” leaves sources blank which doesn’t match additional addresses compared to “Range”.
In case that I misunderstood the tool, I also added a test zone with a range, dumped the nft rulesets and compared them, it seems to be like what I said above, though the nft rule firewalld generates is always complicated so I’m not certain on that.